How to configure DomainKeys DKIM for email authentication and is it still relevant?

Key findings

• Deprecation: DomainKeys has been officially deprecated. It is an older standard that has been replaced by the more robust and widely adopted DKIM.
• Receiver validation: Email recipients (mailbox providers) no longer actively check or validate DomainKeys signatures. Any effort to configure it is unlikely to impact email deliverability or authentication results.
• Coexistence with DKIM: Some legacy email sending platforms might still include DomainKeys signing as an artifact, often layered on top of their DKIM implementation. This typically happens because they haven't removed the old code.
• Technical overlap: The underlying principles of cryptographic signing using public and private keys are similar between DomainKeys and DKIM, which is why some tools might generate keys compatible with both.

Key considerations

• Focus on current standards: For modern email deliverability, the primary focus should be on correctly configuring SPF, DKIM, and DMARC. These are the three pillars of email authentication that mailbox providers rely on.
• Avoid unnecessary complexity: Adding DomainKeys can introduce extra processing overhead and increase email size without providing any benefit for deliverability, as receivers will ignore it.
• Learning vs. Production: While useful for learning historical email authentication mechanisms, implementing DomainKeys in a production environment is strongly advised against. Prioritize understanding and implementing current best practices like how to set up DMARC, DKIM, and SPF.
• DNS records: If you encounter DomainKeys records in DNS, they are typically TXT records under a _domainkey subdomain. However, for active authentication, you should focus on your DKIM records.

Key opinions

• Current relevance: Many marketers are unaware of DomainKeys or consider it a relic, as modern email service providers (ESPs) primarily support DKIM.
• Focus on DKIM: The main emphasis is on correctly setting up and verifying DKIM signatures to ensure email authenticity and improve inbox placement.
• Confusion: Some new marketers or those learning about deliverability might get confused by the historical presence of DomainKeys alongside DKIM.
• Learning priority: When learning about email infrastructure, it's tempting to explore older, deprecated standards, but this time is better spent on improving current email deliverability techniques.

Key considerations

• Prioritize DMARC readiness: Ensure your DKIM setup is robust to achieve DMARC alignment, which is crucial for compliance with major mailbox providers like Google and Yahoo.
• Check ESP documentation: When setting up email authentication, always refer to your ESP's current documentation, which will overwhelmingly focus on DKIM, not DomainKeys.
• Resource allocation: Time and resources are better invested in mastering SPF and DKIM for email marketing and monitoring DMARC reports.
• Stay updated: Email authentication standards evolve. Stay informed about the latest requirements from mailbox providers to maintain optimal inbox placement (for example, the importance of setting up DKIM correctly is paramount).

Key opinions

• No validation: No major email receiver (mailbox provider) performs DomainKeys validation anymore. Any signatures applied using this protocol will be ignored.
• Historical artifact: If DomainKeys signatures are still present on outbound mail, it's typically because senders haven't removed them from their legacy MTA configurations, not because they are required.
• Resource misallocation: Effort spent on DomainKeys diverts attention and resources from critical modern authentication protocols like DKIM and DMARC, which are essential for deliverability.
• Testing difficulties: It's difficult to test DomainKeys because there are no common receiving systems that will parse and report on its validity.
• Code layering: Many ESPs simply layered DKIM on top of existing DomainKeys implementations during the transition period, which is why older codebases might still show support.

Key considerations

• Modern software compatibility: Modern email software and MTAs primarily support DKIM. Attempting to configure DomainKeys may require using legacy software versions or specific hacks.
• DNS records: While DomainKeys records might resemble DKIM TXT records (e.g., selector._domainkey), their presence does not contribute to current authentication validity. Understanding DKIM selector name examples is far more important.
• Test environments: For historical or educational purposes, setting up a specific controlled test environment with older software might be necessary to observe DomainKeys in action, but this should not be confused with production needs.
• Avoiding lore: Beware of outdated information or 'lore' that suggests DomainKeys is still required by certain providers; this is generally untrue and based on historical misconceptions.
• Troubleshooting focus: When troubleshooting authentication issues, focus on verifying your SPF, DKIM, and DMARC records and message headers. Any DomainKeys failure is irrelevant to modern deliverability. See how to troubleshoot DKIM implementation issues.

Key findings

• RFCs: DomainKeys was defined in RFC 4870 (now obsoleted), while DKIM is defined primarily in RFC 6376, indicating a clear progression and replacement.
• Standardization: DKIM became a proposed standard by the IETF (Internet Engineering Task Force), signifying its broad industry acceptance, unlike DomainKeys which remained a de-facto standard by Yahoo!.
• Policy records: DomainKeys involved policy records (e.g., _domainkey.example.com) for publishing signing policies, a concept later streamlined within DKIM's single record.
• Key types: Both protocols use RSA cryptography for public/private key pairs, but DKIM allows for more flexible key management and hashing algorithms.

Key considerations

• Refer to current RFCs: For accurate information on email authentication, always consult the latest RFCs for DKIM and DMARC rather than outdated DomainKeys specifications.
• Simplicity through deprecation: The deprecation of DomainKeys simplifies the authentication landscape, allowing administrators to focus on a unified, widely supported standard.
• Interoperability: DKIM's design ensures better interoperability across different mail systems and provides clearer signals for DMARC alignment. For example, DKIM signs emails to comply with DMARC.
• Configuration for PMTA: While some PMTAs might have a dk-sign yes option, it is crucial to verify if this enables DomainKeys or DKIM, and if the generated key pair is used for the active standard. Always aim for DKIM. If issues arise, see what causes Gmail SPF/DKIM issues.